KQL Search

Query Details

HomeAI ToolsDevice Query

Large Number Of V Ms Started

Query

# Large Number of Virtual Machines started

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1578.002 | Modify Cloud Compute Infrastructure: Create Cloud Instance |  https://attack.mitre.org/techniques/T1578/002/ |

#### Description
This query detects when a Large Number of Virtual Machines is started within a short timeframe. The query uses two inputs; Threshold and TimeFrame. The threshold determines the number of machines from when the query should output results. The timeframe determines how long the period is to reach the threshold.

The total numbers are calculated based on resourcegroup level.

#### Risk
Actors may abuse compute resources for cryptomining purposes.

## Sentinel
```KQL
let Threshold = 25;
let TimeFrame = 1h;
AzureActivity
| where OperationNameValue =~ "MICROSOFT.COMPUTE/VIRTUALMACHINES/START/ACTION"
| where ActivityStatusValue == "Success"
| extend ResourceName = tostring(parse_json(Properties).resource)
| summarize Total = dcount(ResourceName), ResourceNames = make_set(ResourceName) by bin(TimeGenerated, TimeFrame), SubscriptionId, ResourceId
| where Total >= Threshold
```

Explanation

This query is designed to detect when a large number of virtual machines (VMs) are started within a short period of time in an Azure environment. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify potential misuse of cloud resources, such as cryptomining, by monitoring for unusually high activity in starting VMs.

  2. Inputs:

    • Threshold: The minimum number of VMs that need to be started for the query to trigger an alert. In this case, the threshold is set to 25. - TimeFrame: The period within which the VMs are started. Here, it is set to 1 hour.

  3. Process:

    • The query looks at Azure activity logs to find events where VMs are successfully started.
    • It then groups these events by the time they occurred (in 1-hour bins), along with the subscription and resource IDs.
    • For each group, it counts the distinct number of VMs started and lists their names.

  4. Output:

    • The query returns results only if the number of VMs started in a given timeframe meets or exceeds the threshold (25 VMs in this case).

  5. Risk: This activity could indicate malicious behavior, such as unauthorized use of cloud resources for cryptomining.

In summary, the query helps in monitoring and alerting on potential security risks by identifying when a large number of VMs are started in a short time, which could signify unauthorized or malicious activity.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 31, 2024

Tables

AzureActivity

Keywords

VirtualMachinesAzureActivityResourceGroupComputeResources

Operators

let=~==extendtostringparse_jsonsummarizedcountmake_setbybinwhere>=

Actions